The Federal Financial Institutions Examination Council
(FFIEC) member agencies (regulatory agencies)1 and the Conference of State Bank Supervisors are relaying comments made by financial institutions regarding lessons they learned from the effects of Hurricane Katrina. Financial institutions have responded admirably to the unique challenges raised by successive hurricane seasons with significant storms. Major challenges faced by these institutions included the following:

Communications outages made it difficult to locate missing personnel.

Access to and reliable transportation into restricted areas were not always available.

Lack of electrical power or fuel for generators rendered computer systems inoperable.

Business continuity plans generally worked very well in enabling institutions to meet these challenges and to restore operations swiftly. However, the unprecedented magnitude and duration of the effects of Hurricane Katrina caused major disruptions that exceeded the scope of the disaster recovery and business continuity plans of some financial institutions. Many institutions had to adjust plans and improvise responses to successfully address unexpected complications. For example, institutions adapted procedures to facilitate cashing checks for non-customers. Overall, institutions prevailed in very difficult circumstances through advance planning and preparation, and by working together. As a result of these efforts, the financial industry was able to assist customers and communities in their time of greatest need. Certain financial institutions affected by Hurricane Katrina and its aftermath have relayed the following experiences or lessons learned that your institution may find helpful in considering its readiness for responding to a catastrophic event. You may want to consider this information when conducting a review of your institution's disaster recovery and business continuity plans. These lessons learned should not be construed as new regulatory requirements, nor do they supplant or modify the guidance provided by the FFIEC in its Business Continuity Planning (BCP) Booklet. 2

Lesson Learned - Some organizations may not have anticipated or prepared for the extensive destruction and prolonged recovery period resulting from Hurricane Katrina.

Are we prepared?

A disaster like Hurricane Katrina, although infrequent, may require financial institutions to implement their disaster recovery plans and to improvise creative solutions to address unforeseen difficulties quickly. You may want to reassess how well your institution is prepared for reasonably foreseeable threats across all levels of the organization, not just from the perspective of recovering your information technology.

How much planning/preparing is enough?

You cannot prevent or anticipate all disasters, so you should prepare and practice for them. Knowing where to go and what critical functions need to be restored can provide confidence to you and your employees when responding to a disaster. Identifying potential threats, assessing their potential impact, assigning priorities, and developing planned responses are the basic principles of sound business continuity planning. Such reviews often categorize threats on a scale from high to low, according to both their probability of occurring and the impact each could have on the institution.

The impact rather than the source of the threat should
guide the development of disaster recovery and business continuity plans.
For example,02/02/2011 3:35 PMa low impact may not warrant further review. However, every threat that
could pose a high adverse impact generally warrants further consideration
regardless of its probability of occurrence.

You should implement reasonable safeguards to mitigate
the range of risks that realistically may confront your institution. Developing,
implementing, and regularly testing disaster recovery and business continuity
plans to ensure their continued effectiveness for responding to changing
business and operational needs takes time, resources, and money. You should
consider how to strike a balance between addressing the threats your institution
faces with cost-effective measures to mitigate those risks and recognizing
areas where it may be either cost-prohibitive or impossible to alleviate
your institution's exposure.

Lesson Learned -
To be realistic, disaster drills should include all critical functions and areas.

How thorough should disaster drills be?

Disaster drills should be relevant to a specific location (considering infrastructure, population centers, weather, threats of terrorism, natural disasters, etc.) and include worst-case scenarios. You may want to reconsider the frequency and scope of future testing strategies to incorporate more thorough functional and full-scale tests of all support operations, business lines, and geographies.

These periodic tests are most effective when they
simulate realistic disasters and require the processing of a sufficient
volume of all types of transactions to ensure adequate capacity and capability
at all recovery sites. The tests should also consider all critical functions
and applications, use only off-site data and supplies, and include some
level of improvisation to meet unexpected events.

For example, you may want employees to practice using
manual back-up procedures (e.g., debit and credit tickets) to process transactions
until electronic systems are restored. Or, a disaster drill could simulate
situations that involve the restoration of damaged loan files or documents,
and how to protect employees from potentially harmful exposure to contaminated
bank records, cash, or contents in safe deposit boxes.

How should we assess disaster drills?

Performance assessments after each disaster test help ensure that each simulation improves the institution's ability to recover from a catastrophic event. After conducting a drill, you should review the results to determine what worked correctly, what went wrong or not as expected, what areas can be improved, and what, if any, adjustments to your plans are needed.

Who should participate in disaster drills?

Your organization's successful recovery can hinge on the efforts of key personnel, and those key personnel may change. As a result, you should promote a "we're in this together" attitude and recognize that all employees can contribute to an institution's disaster recovery and business continuity efforts. Employees at every level of your organization should know their role in the disaster recovery and business continuity plans.

Hurricane Katrina illustrated that a widespread disaster can strand employees without access to working land-line or cellular telephone services. You may want to develop, test, and update a contact list for senior management, employees, customers, vendors, and key government agencies. Maintaining copies of this information at all sites, plus one or more off-site locations, can be very helpful in the event of a disaster.

You also may want to develop alternate ways for locating
and communicating with employees and customers. Less-traditional communication
methods might include two-way radios, cellular telephones with out-of-state
area codes and/or text messaging capability, satellite telephones, or personal
data assistant (PDAs). Employees could use these less-traditional communication
methods to report their location and obtain current information. In addition,
you may want to establish a central point of contact outside the potential
disaster area and make pre-established toll free telephone numbers available
for employees and customers.

What about the mail?

A widespread disaster can disrupt the U.S. Postal Service for an extended period. During Hurricane Katrina, customers with automatic deposit and bill payment services experienced less difficulty in maintaining their accounts. You may want to encourage or assist your customers in establishing direct deposit account relationships or automatic bill paying services to mitigate disruptions in their finances.

Lesson
Learned - Critical staff may not be able to reach their assigned recovery location.

Where is everybody?

Your disaster recovery and business continuity plans should not assume that all key personnel will be available at designated sites to assist in recovery efforts. Evacuation orders, safety and health hazards, or damaged infrastructure (e.g., washed-out roads, collapsed bridges, and downed power lines) may prevent employees from timely reporting to assigned locations, despite their best efforts.

You may want to identify alternative, prioritized
gathering place(s) for employees to meet after a disaster. Similarly, you
may want to develop multiple, alternate, prioritized contact arrangements
for employees to follow if they are unable to reach their assigned location
given the likelihood of simultaneous communications disruptions. In addition,
you may want to consider what type(s) of credentials employees will need
to gain access into a disaster area, as authorities may restrict re-entry.

What alternate transportation methods could be considered?

In the aftermath of Hurricane Katrina, many financial institutions had employees scattered across the region with limited access or means to reach the institutions' facilities. To address this, some institutions arranged alternate transportation methods, e.g., carpools, bus services, and air connections. Some institutions also developed plans to shift and transport employees either from or into affected areas.

Lesson
Learned - People are essential to the recovery of operations.

What about my family?

Employees' foremost priority will be the safety and welfare of themselves and their families. You may want to have discussions in advance with employees regarding their personal plans in the event of a disaster. You may also want to tell them what steps will be taken to provide for employees and their families who might need to stay in a disaster area or at a back-up facility.

Is everyone okay?

A widespread disaster can overwhelm medical services. Besides keeping basic first aid supplies stocked and easily accessible, you may want to make preparations for employees who have special needs. Catastrophic events not only cause physical injuries, they also create very stressful situations. Your employees may feel considerable stress after a disaster for an extended time.

What basic necessities will people need?

Damaged infrastructure, disrupted support services, and a prolonged disaster recovery period can make it extremely difficult for employees to obtain basic necessities. Some institutions reported that they have developed short-term and long-term plans for meeting essential human necessities to encourage employees to remain in the area(s) where the institution is operating and so that employees can focus on resuming financial operations. These plans addressed supplies and services such as:

Food, drinking water, and safe lodging

Vital supplies
such as medicine, clothing, etc.

Child care, especially if schools are closed

Lesson
Learned - Replacement supplies may be difficult to obtain during a protracted recovery period.

How do we obtain more supplies?

A widespread disaster can severely disrupt normal support services and cause a prolonged recovery period. Most institutions' disaster recovery and business continuity plans provide sufficient supplies at the primary operations center and the back-up site to permit several days of operation. However, obtaining replacement supplies as initial stocks are exhausted can be difficult as stores may not be open, and new shipments may be delayed due to transportation delays or damaged infrastructure.

Some institutions reported that they instituted long-term
arrangements to replenish basic supplies such as business forms and fuel
over an extended period, although this process can encounter unexpected
obstacles during an emergency. For example, some institutions contracted
to have replacement fuel and other supplies delivered as existing stocks
were depleted. However, military personnel, law enforcement officers, or
rescue workers had priority in some cases for these supplies, especially
fuel. Consequently, you may want to consider this possibility in your planning.
With respect to replenishment of routinely used forms, some institutions
maintained a master set of routinely used forms at an alternate but easily
accessible site.

Employee safety is of paramount importance and should
carefully be considered in deciding whether to attempt temporary repairs.
However, some institutions found it useful to maintain some basic supplies
such as tarps, plywood, tools, etc. to board up broken windows, prevent
water leakage from exposed roofs, etc. Demand for these materials will
surge and may be in short supply following a widespread disaster.

If our facilities are not safe, what alternate facilities could we use?

Facilities should be safe prior to allowing personnel to re-enter the premises. A professional inspection may be necessary or advisable as some types of structural problems are difficult to detect. An inspection of your sites may determine that the damage to these premises is so severe that it is not safe to resume business operations at those locations.

Your risk assessments and planning should contemplate
that your facilities may not be available, and that alternate facilities
arrangements may become necessary. Some common substitute accommodations
arranged by institutions in the aftermath of Hurricane Katrina included
renting undamaged buildings or leasing mobile units. Also, a number of
financial institutions entered into "partner institution" or "buddy bank" agreements. These included organizations opening shared facilities and unaffiliated institutions granting affected institutions access to teller stations. Other institutions executed reciprocal agreements where IT systems were shared. Having these types of agreements in place prior to a disaster could significantly improve your institution's ability to resume operations more expeditiously and efficiently after a catastrophic event.

Some disasters can affect a large geographical area.
Technological advances in warning systems enabled financial institution
managers to activate disaster recovery and business continuity plans 72
to 96 hours prior to Hurricane Katrina making landfall. Before deciding
which alternative to pursue, most institutions monitored and/or tracked
the predicted path of any adverse conditions; thereby enabling personnel
to select a location less likely to be affected by the potential disaster.

What procedures do we follow to establish temporary facilities?

You may want to determine in advance what types of building inspections and permits are required for temporary facilities and to maintain contact information for the governmental authorities that have jurisdiction over these matters. Federal and state bank regulatory agencies expedited or waived many application procedures for establishing a temporary facility after Hurricane Katrina.

Lesson
Learned - The location of any back-up site can be critical to successful recovery efforts.

Where should the back-up site be located?

In the aftermath of Hurricane Katrina, data recovery efforts for some financial institutions were hampered by limited access to back-up sites that were in close proximity to the primary location. Institutions with back-up sites reported that they found them most useful when they were located sufficiently far away so as not to be affected by the same infrastructure and other risk elements as the primary operations center.

If you have a back-up site, you may want to reassess
its location and the probability that it may be affected by the same risks
that threaten your primary locations. In addition, you may want to provide
your primary regulator the names, alternate telephone numbers, and addresses
of personnel to contact if evacuation and/or disaster recovery plans have
been activated.

Do the recovery facilities have sufficient capacity?

The number of institutions affected by Hurricane Katrina created unexpected demands on some servicers' back-up sites. You will want to ensure that your back-up facility has adequate capacity to process transactions in a timely manner.

In assessing this capacity, you may want to consider
not only the needs of your customers in an affected area, but also the
demands that other affected institutions may place on a given back-up site
or servicer. You may want to reassess processing capabilities and joint
testing of your recovery plans with your servicer.

How do we assure that we will have electrical power?

Many financial institutions' primary and back-up facilities lost power in the aftermath of Hurricane Katrina because the power transmission grid was not operational. It is not uncommon for all of a financial institution's facilities to be on the same power transmission grid. Therefore, you may want to check with your local power company to determine how it supplies electricity to your primary operations center and your back-up site(s). If the same source supplies electricity to both sites, you may want to consider an alternate location or explore the feasibility of installing an independent power supply at one of the facilities.

What about back-up power sources?

Many institutions affected by Hurricane Katrina used portable generators powered by gasoline or propane as a primary back-up power source. Some institutions pre-wired generators for their most important equipment. Depending on their capacity, these machines usually can provide power for critical operations, but typically should not be used to meet all electrical needs.

You also may want to consider appropriate locations
for operating a generator and for storing fuel. Fuel storage containers
and generators can leak, and generators may produce deadly carbon monoxide
gas and can be subjected to the same damage that the site experiences.

Lesson
Learned - Processing transactions may be extremely difficult.

How can we overcome difficulties in processing transactions electronically?

The widespread power and telecommunications outages after Hurricane Katrina hindered electronic transaction processing. Most institutions had multiple types of back-up and timely back up of data, which assisted in recovery of applications and business resumption. In some cases, however, manual processing was required. While this may be a short-term solution, connectivity with the data processing facility is critical in order to restore and sustain routine financial services. If telecommunications cannot be recovered, transaction items must be physically transported to other processing sites.

Lesson
Learned - Be prepared to operate in a "cash only" environment.

Why would we need more cash?

Power and telecommunications outages can disrupt all electronic forms of payments, such as debit and credit card payments. Customers and employees remaining in, or evacuating from, affected areas may need unexpectedly large amounts of cash to pay for critical goods and services. In anticipation of hurricanes or other disasters with advance warning, some financial institutions developed plans for ordering larger shipments of cash prior to the expected onset. These institutions also reported the need to plan for enhanced security precautions.

What if the vault and/or ATMs are damaged?

Damaged vaults and ATMs were significant concerns for some institutions affected by Hurricane Katrina. Currency can be damaged or ruined by water or pollutants. You may want to keep vault cash in clear, waterproof bags to minimize the possibility of contamination from standing water.

While the financial system is recognized as a part of the critical infrastructure, 3 financial institutions have to compete with the restoration of other critical components during recovery efforts. Some financial institutions have joined regional coalitions to facilitate critical infrastructure planning efforts. By anticipating and addressing such issues in advance, you can better prepare your staff to overcome unexpected obstacles.

For example, obtaining additional cash (a critical
commodity in an affected area) can hinge on whether telecommunications
and electrical services have restored power and processing capability to
institutions or ATMs, the transportation authorities have reopened traffic
routes, and the petroleum industry has provided fuel so armored couriers
can enter and leave disaster zones.

You may want to contact local and state officials
to understand the priority that will be given to financial institutions
to restore critical services. You can reach your state homeland security
contact at www.DHS.gov/dhspublic/display?theme=11&colntent=3138 .

Lesson
Learned - A financial institution's involvement in neighborhood, city, state, federal, and non-profit or volunteer programs can facilitate a community's recovery from a catastrophic event.

How can we work with other programs?

The Department of Homeland Security recognized that non-governmental organizations, such as non-profit, volunteer, and private sector entities, play a fundamental role in response and recovery efforts. These organizations can contribute in ways that are, in many cases, key to a community's successful recovery after a catastrophic event.4 You may want to contact local chapters of these entities to discuss ways the organizations might work together to benefit the community.

What can regulatory agencies do to assist us?

During the past hurricane season, the regulatory agencies communicated with the industry and the public through a variety of media, including television and radio broadcasts, websites, and national call centers. You may want to maintain a list of regulatory points of contact and reference data to establish clear lines of communication between your institution and primary regulator. A current list of some important regulatory telephone numbers and website addresses is included below.

To order additional hard copies of this
brochure or a CD-ROM with the files to reprint, please use the online
Customer Assistance
Form on the FDIC's web site or contact the FDIC's
Public Information Center (1-877-275-3342 or 703-562-2200).

1 The Board of Governors of the Federal
Reserve System, Federal Deposit Insurance Corporation, National Credit
Administration, Office of the Comptroller of the Currency, and Office
of Thrift Supervision.